Google LLC has built security mechanisms into Google Play to keep malicious Android apps out, but occasionally cybercriminals find a way to jump the moat.

Researchers from antivirus maker Trend Micro Inc. today revealed that they’ve discovered a family of 85 adware-laced applications on the marketplace. The apps, which Google removed after being notified by the company, had been downloaded more than 8 million times by Android users.

Mobile adware always follows the same modus operandi. Cybercriminals bundle intrusive ad components into seemingly innocuous apps, such as games, and display promotions on the user’s device to generate fraudulent advertising revenue. The adware apps exposed by Trend Micro use several creative methods to maximize the illicit earnings they generate off unsuspecting consumers.

To start, the apps actively take steps to evade detection. They start a timer right after being installed on a user’s device and stay dormant for 30 minutes. This helps conceal the adware from mobile antiviruses, which automatically quarantine software that starts displaying unusual activity soon after being downloaded.

“Every time the user unlocks the device, the adware will perform several checks …. with these, the adware-embedded app can determine if it has been installed on the device long enough,” Trend Micro mobile threat response engineer Ecular Xu wrote in a blog post. “To evade detection, the app uses Java reflection — which enables the runtime behaviors of an application to be inspected or modified — and encodes the API strings in base64.”

The adware is also hard to delete. Upon installation, the malicious apps replace their icon on the Android home screen with a shortcut, which unlike a default icon can’t be removed by dragging it the trash bin.

The apps enable their creators to remotely control ad delivery. The cybercriminals can run promotions at more frequent intervals than in a standard Android application and make sure a promotion isn’t displayed multiple times in a row. 

“The frequency of ads being displayed can be remotely configured by the fraudster (the default is five minutes), so it could exacerbate the nuisance for users,” Trend Micro’s Xu wrote.

Trend Micro’s report represents only the latest in a series of adware discoveries on Google Play. In March, Check Point Software Technologies Ltd. exposed an Android adware family dubbed SimBad that had been downloaded nearly 150 million times. Previously, Check Point uncovered a series of faux flashlight apps that infected as many as 7.5 million Android devices with ad-pushing code.  

Photo: Unsplash